VirtueMart Forum

VirtueMart 2 + 3 => Plugins: Payment, Shipment and others => Topic started by: user_fra on April 02, 2021, 18:22:38 pm

Title: Extra IPs for IPN check
Post by: user_fra on April 02, 2021, 18:22:38 pm
Hi, (VM3.8.8 J 39.9.25)
please, in the Extra IPs for IPN check flield how should I separete the PayPal ips?
Like this
173.0.81.65 173.0.81.140 64.4.248.0/22
or
173.0.81.65, 173.0.81.140, 64.4.248.0/22
or
173.0.81.65; 173.0.81.140; 64.4.248.0/22
or...
Thank you
Francesco
Title: Re: Extra IPs for IPN check
Post by: user_fra on May 01, 2021, 12:27:10 pm
Hi, please, can anybody answer?
Today I had a problem with a payment also if I have in Extra IPs for IPN check field this list:
66.211.170.66,173.0.81.1,173.0.81.0/24,173.0.81.33,173.0.81.65,173.0.81.140,64.4.240.0/21,64.4.248.0/22,66.211.168.0/22,173.0.80.0/20,91.243.72.0/23
in paypal.4.log.php I see this error:

---

2021-05-01 09:30:04 DEBUG PaymentNotification, order_number:: Order nr. XYZ
2021-05-01 09:30:04 DEBUG PaymentNotification, virtuemart_paymentmethod_id:: 4
2021-05-01 09:30:04 DEBUG checkPaypalIps $paypal_iplist: Array
(
   
Title: Re: Extra IPs for IPN check
Post by: Jörgen on May 01, 2021, 16:27:01 pm
I guess that the ip range 173.0.81.0/24 expands to 173.0.81.0 - 173.0.81.255. Dividing the input with commas should be correct. I would appreciate other opinions on this, but this are my 2 cents.

Jörgen @ Kreativ Fotografi
Title: Re: Extra IPs for IPN check
Post by: user_fra on May 01, 2021, 20:45:36 pm
Thank you Jörgen, you are very kind.
I add some more details, maybe it helps.
1) The customer paid by credit card.
2) Order was in the pending status.
3) After paying she was redircted to a site page that said "Your order status is pending".
4) In her credit card account detail, it said pending debit.
5) I received an e-mail form my site with this subject: "Error with paypal payment in your shop"
6) The money had already been credited to my paypal account.

Luckily I was on my computer when all this happened, so I quickly fixed the problem changing the order status from pending to confirmed.
My best regards
Francesco
Title: Re: Extra IPs for IPN check
Post by: dmb on May 02, 2021, 01:53:34 am
I got a couple of these today as well for the first time.

I wonder if the "Update: Important information about Instant Payments Notification (IPN) (PP-LIVE-31029)" on https://www.paypal-status.com/bulletin/production is relevant:

Code: [Select]
Update:
This change will now take effect on May 3, 2021. The date in the previous posts has been likewise updated to reflect May 3, 2021.

Mar 11, 16:37 UTC

Update:
This change will now take effect on May 3, 2021.

As a point of clarification, merchants will be receiving IPNs from all the below IP addresses. However, on May 3 2021, the old IP addresses (marked below) will be deprecated and IPNs will only be sent with the new IP addresses (also marked below).

66.211.170.66 (Old)
66.211.170.66 (Old)
173.0.81.1 (Old)
173.0.81.0/24 (Old)
173.0.81.33 (Old)
173.0.81.65 (New)
173.0.81.140 (New)
64.4.240.0/21 (New)
64.4.248.0/22 (New)
66.211.168.0/22 (New)
173.0.80.0/20 (New)
91.243.72.0/23 (New)
Title: Re: Extra IPs for IPN check
Post by: GJC Web Design on May 02, 2021, 09:42:22 am
Totally relevant .. either add these new ips or switch off 
Check IPN provider IP

I assume these will be added in the next release
Title: Re: Extra IPs for IPN check
Post by: dmb on May 02, 2021, 16:23:30 pm
Thanks for the confirmation ... it did look like a huge red flag :)

I have lists of Paypal servers in:

plugins/vmpayment/paypal/paypal/helpers/paypal.php
templates/<template name>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php

I plan to update both, but it would be interesting to know what the template file is, if anyone knows ?

Also, there appear to be a large number of possible IPN servers (just under 9000 !), if my calculations are correct:

Code: [Select]
<?php

// generates 8959 addresses ...

$arr ipnIPs(array( "66.211.170.66""173.0.81.1""173.0.81.33""173.0.81.65""173.0.81.140",
"173.0.81.0/24""64.4.240.0/21""64.4.248.0/22""66.211.168.0/22""173.0.80.0/20""91.243.72.0/23"));

var_dump($arr);

function 
ipnIPs($cidrs) {

$range = array();

foreach ($cidrs as $cidr){

if (strpos($cidr'/') === false)
$range[] = $cidr;
else {
$cidr_arr explode('/'$cidr);

$start_ip ip2long($cidr_arr[0]);
$end_ip $start_ip pow(2, (32 - (int) $cidr_arr[1])) - 1;

// generates the .0 and .255 addresses, but we don't care :)

for ($i $start_ip $i $end_ip $i++)
$range[] = long2ip($i);
}
}

return $range;
}
?>

I noticed that I can't set "Check IPN Provider IP" to anything other than "Yes" anyway (it resets when I save), so I guess I just check all possible addresses ...

David
Title: Re: Extra IPs for IPN check
Post by: GJC Web Design on May 02, 2021, 17:51:07 pm
I actually hadn't noticed Paypal gives ranges now

e.g.  64.4.240.0/21 (New)

safes fine for me in various installs


Title: Re: Extra IPs for IPN check
Post by: dmb on May 04, 2021, 21:36:23 pm
Thanks for the heads-up GJC, I need to upgrade my VM but the last time I tried the upgrade failed so I need to set a week or so aside to figure out the problem and get all the testing etc. done ... never enough time.

I should do this anyway, as having updated the IP addresses I no longer get the IPN failure, in fact I get no notifications at all from PayPal, and no errors in the web server logs, the Joomla logs or the VM logs, so this is a significant problem right now. Rolling back the IPN code checks makes no difference either, as I guess the "error contacting IPN servers" is somewhat random based on the IPs that are actually alive at Paypal. I've successfully updated my test site to J3.9.26/VM 3.8.9, and I see none of the new IP Addresses in the paypal.php, which is a bit worrying.

However the "IPN Provider IP" works on the test site so I may do something about this on my live site too (in the database) if it temporarily fixes my problem.

What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?

David

EDIT: After a long night, I've finished testing the test system, upgraded the live site to J3.9.26/VM 3.8.9 too and everything is working very well with "Check IPN provider IP" enabled. I haven't examined the code where the IPN IP addresses are actually checked so I don't know if that's been fixed or if I'm just lucky so far.

Title: Re: Extra IPs for IPN check
Post by: Bogisich on June 17, 2021, 08:16:10 am
The situation around EKS and IP addresses seems kind of insane to me. Apparently the amount of ENIs / IP addresses / Secondary IP addresses attached to a node depends on the instance size. This results in an instance of the size m5.xlarge to have 2 ENIs with 15 IP addresses each, expecting 28 pods to be running on each node to actually make use of all the IP addresses.


TargetPayandBenefits (https://www.targetpayandbenefits.review/)
Title: Re: Extra IPs for IPN check
Post by: user_fra on June 17, 2021, 09:30:41 am
What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?

Very interesting question!
Francesco
Title: Re: Extra IPs for IPN check
Post by: AH on June 17, 2021, 11:05:48 am
Security feature only - I have it disabled for years
Title: Re: Extra IPs for IPN check
Post by: dmb on September 21, 2021, 12:15:56 pm
If anyone wants to have IPN enabled and the correct Paypal servers you could do as I did and change plugins/vmpayment/paypal/paypal/helpers/paypal.php as below.

This works in J3.10.2/VM3.8.9.

I'd really like to override this core file but I don't know where to put my override (I tried in ./templates/<mytemplate>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php but that didn't work so it's not right :))

updated checkPaypalIps():
Code: [Select]
protected function checkPaypalIps ($paypal_data) {
        /*
                $test_ipn = (array_key_exists('test_ipn', $paypal_data)) ? $paypal_data['test_ipn'] : 0;
                if ($test_ipn == 1) {
                    return true;
                }
        */
        /*
         * adding an extra parameter because getting IP trough gethostbynamel is not a unfortunatly reliable method
         */
        if (isset($this->_method->check_ips) and $this->_method->check_ips==0) {
            return true;
        }
        $order_number = $paypal_data['invoice'];

        // Get the list of IP addresses for www.paypal.com and notify.paypal.com

        if ($this->_method->sandbox) {
            $paypalHosts = array('ipn.sandbox.paypal.com','ipnpb.sandbox.paypal.com');
        } else {
            $paypalHosts = array('ipnpb.paypal.com','notify.paypal.com');
        } 

        $paypal_iplist = array();
        foreach($paypalHosts as $host){
            $ipList = gethostbynamel($host);
            $paypal_iplist = array_merge($paypal_iplist,$ipList);
        } 
        if (isset($this->_method->extra_ips)){
            $extraIps = explode(',',$this->_method->extra_ips);
            $paypal_iplist = array_merge($paypal_iplist,$extraIps);
        }

        // add the official Paypal IP addresses

        $paypal_iplist = array_merge($paypal_iplist, $this->generateIPNList()); // DMB 20210501
//      $this->debugLog($paypal_iplist, 'checkPaypalIps $paypal_iplist', 'debug', false);

        $remoteIPAddress = ShopFunctions::getClientIP();
        $hostname = gethostbyaddr($remoteIPAddress);
        $this->debugLog($remoteIPAddress, 'checkPaypalIps REMOTE ADDRESS', 'debug', false);

        //  test if the remote IP connected here is a valid IP address
        if (!in_array($remoteIPAddress, $paypal_iplist) and !in_array($hostname, $paypalHosts)) {

            $text = "(plugins/vmpayment/paypal/paypal/helpers/paypal.php) Error with REMOTE IP ADDRESS = " . $remoteIPAddress . ".\n
                        The remote address of the script posting to this notify script does not match a valid PayPal IP address\n
            These are the valid IP Addresses: " . implode(",", $paypal_iplist) . "The Order ID received was: " . $order_number;
            $this->debugLog($text, 'checkPaypalIps', 'error', false);
            return false;
        }

        return true;
    }

New generateIPNList() function - note the list of Paypal address ranges from their most recent advisory notice:

Code: [Select]
/* 
     * DMB 20210501
     *
     * generate an array of Paypal IPN servers
     *
     * From https://www.paypal-status.com/bulletin/production:
     *
     * As previously communicated, PayPal expanded its IPN infrastructure on May 3. All of the IP addresses listed below will be used for IPN:
     *
     * 66.211.170.66
     * 173.0.81.1
     * 173.0.81.0/24
     * 173.0.81.33
     * 173.0.81.65
     * 173.0.81.140
     * 64.4.240.0/21
     * 64.4.248.0/22
     * 66.211.168.0/22
     * 173.0.80.0/20
     * 91.243.72.0/23
     */

    function generateIPNList() {

        $cidrs = array( "66.211.170.66", "173.0.81.1", "173.0.81.33", "173.0.81.65", "173.0.81.140",
            "173.0.81.0/24", "64.4.240.0/21", "64.4.248.0/22", "66.211.168.0/22", "173.0.80.0/20", "91.243.72.0/23");

        $range = array();

        foreach ($cidrs as $cidr){

            if (strpos($cidr, '/') === false)
                $range[] = $cidr;
            else {
                $cidr_arr = explode('/', $cidr);

                $start_ip = ip2long($cidr_arr[0]);
                $end_ip = $start_ip + pow(2, (32 - (int) $cidr_arr[1])) - 1;

                // generates the .0 and .255 addresses, but we don't care :)

                for ($i = $start_ip ; $i < $end_ip ; $i++)
                    $range[] = long2ip($i);
            }
        }

        return $range;
    }

Apologies to the original authors, I based this function on code I found elsewhere and didn't keep a note of the source.
Title: Re: Extra IPs for IPN check
Post by: AH on September 22, 2021, 11:37:20 am
VM did have a fixed IP address function in previous versions of the PayPal Plugins, it was removed as it is not what PayPal suggest in validating IP's

However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.

"extra IPs for IPN check "

Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?
Title: Re: Extra IPs for IPN check
Post by: Phoenix616 on November 04, 2021, 13:13:20 pm
However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.

"extra IPs for IPN check "

Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?
Unfortunately it seems like they use whole subnets (https://lookouthost.com/papal-ips-for-instant-payments-notification-ipn/) for IPNs now which is not supported by that config field as it only does an in_array check with the IP and does not support subnets.
Title: Re: Extra IPs for IPN check
Post by: GJC Web Design on November 04, 2021, 16:01:27 pm
http://forum.virtuemart.net/index.php?topic=146573.msg522819#msg522819

doesn't the code from dmb provide all the ranges as individual ips?   http://forum.virtuemart.net/index.php?topic=146573.msg525192#msg525192

or just switch it off..  have done for the 40+ sites I manage and no fraud yet ...  :P

Title: Re: Extra IPs for IPN check
Post by: AH on November 05, 2021, 12:41:27 pm
Quote
or just switch it off..  have done for the 40+ sites I manage and no fraud yet

Me too
Title: Re: Extra IPs for IPN check
Post by: sohopros on December 21, 2021, 01:52:41 am
We are also getting this error:
Code: [Select]
2021-12-15 12:07:18 ERROR checkPaypalIps: Error with REMOTE IP ADDRESS = 173.0.81.140.
                        The remote address of the script posting to this notify script does not match a valid PayPal IP address
            These are the valid IP Addresses: 64.4.248.8,173.0.81.33,173.0.81.1,173.0.81.65,The Order ID received was:

2021-12-20 16:56:17 ERROR checkPaypalIps: Error with REMOTE IP ADDRESS = 173.0.81.140.
                        The remote address of the script posting to this notify script does not match a valid PayPal IP address
            These are the valid IP Addresses: 64.4.248.8,173.0.81.65,173.0.81.1,173.0.81.33,The Order ID received was:


I read through this entire thread and am still lost as to what to do about it. Our plug-in doesn't have an option to add IP addresses (that I can see anyway).

Joomla 3.10.4
Virtuemart 3.8.8 10472
VM Payment - PayPal plugin 3.8.8

Can someone post a screenshot of the solution, or step-wise instructions?
Title: Re: Extra IPs for IPN check
Post by: Jörgen on December 21, 2021, 09:03:26 am
You should look int payment options, not in the plugin setup.

Add the ip and all will be fine for now

Jörgen
Title: Re: Extra IPs for IPN check
Post by: Bob James on January 01, 2022, 09:19:12 am
Hello, thank you all.

So, I should use the extra IP's field to add IP's?

This is because RDNS of paypal is not a reliable source for creating an array of all the IPs?
Title: Re: Extra IPs for IPN check
Post by: Bob James on January 01, 2022, 09:24:32 am
@GJC

Agreed - there will be no fix as far as I can see due to the PayPal ip ranges changing.

Agree totally - I have IP check switched off for years, on all my customer sites - up until now, no problem has occurred .

Linking to this thread for master.
http://forum.virtuemart.net/index.php?topic=147461.msg526512#msg526512